diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 8f6eaa0d..df598c94 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -106,7 +106,7 @@ http {
       {% endif %}
 
       # If TLS is failing, prevent access to anything except certbot
-      {% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not TLS_FLAVOR == "mail" %}
+      {% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not (TLS_FLAVOR in [ 'mail-letsencrypt', 'mail' ]) %}
       location / {
         return 403;
       }
diff --git a/towncrier/newsfragments/1686.bugfix b/towncrier/newsfragments/1686.bugfix
new file mode 100644
index 00000000..932d7d7c
--- /dev/null
+++ b/towncrier/newsfragments/1686.bugfix
@@ -0,0 +1 @@
+Fix letsencrypt access to certbot for the mail-letsencrypt flavour